Microsoft Security Bulletin (MS00-100)
   
   Patch Available for Malformed Web Form Submission Vulnerability
   
   Originally posted: December 22, 2000
   
Summary

   Microsoft has released a patch that eliminates a security
   vulnerability in a component that ships as part of Microsoft® Internet
   Information Server. The vulnerability could potentially allow an
   attacker to prevent an affected web server from providing useful
   service.
   
   Frequently asked questions regarding this vulnerability and the patch
   can be found at
   http://www.microsoft.com/technet/security/bulletin/fq00-100.asp
   
Issue

   The FrontPage Server Extensions (FPSE) ship with and are installed by
   default as part of IIS 4.0 and 5.0. The most familiar FPSE functions
   allow web site and content management; however, FPSE also provides
   browse-time support functions. Among the functions included in the
   latter category are ones that help process web forms that have been
   submitted by a user. A vulnerability exists in one of these functions.
   If a malicious user levied a specially-malformed form submission to an
   affected server, it would cause the IIS service to fail. The
   vulnerability does not provide the opportunity to misuse any of the
   FPSE administrative or content management functions.
   
   To resume normal operation on an IIS 4.0 server, the operator would
   need to restart the service. In contrast, if an IIS 5.0 server were
   attacked via this vulnerability, the IIS service would, by default,
   automatically restart almost immediately. Although any web sessions
   that were in progress at the time of the attack would be lost, the
   server would be able to accept new connections as soon as the service
   was restarted. FPSE is installed by default as part of IIS 4.0 and
   5.0, but, in keeping with best practices, Microsoft recommends that
   they be disabled if not needed.
   
Affected Software Versions

     * Microsoft IIS 4.0
     * Microsoft IIS 5.0
       
Patch Availability

     * Microsoft IIS 5.0:
       http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26277
     * Microsoft IIS 4.0:
       http://www.microsoft.com/Downloads/Release.asp?ReleaseID=26704
       
   Note: The IIS 5.0 patch can be applied atop system running either
   Windows 2000 Gold or Service Pack 1. It will be included in Windows
   2000 Service Pack 2.
   
   Note: The IIS 4.0 patch can be applied atop system running Windows NT
   4.0 Service Pack 6a or 5. It will be included in Windows NT 4.0
   Service Pack 7.
   
   Note: IIS users who have removed the FPSE are not affected by this
   vulnerability and do not need to take further action.
   
   Note Additional security patches are available at the Microsoft
   Download Center 
   
More Information

   Please see the following references for more information related to
   this issue.
     * Frequently Asked Questions: Microsoft Security Bulletin MS00-100,
       http://www.microsoft.com/technet/security/bulletin/fq00-100.asp
     * Microsoft Knowledge Base article Q280322 discusses this issue and
       will be available soon.
     * Microsoft TechNet Security web site,
       http://www.microsoft.com/technet/security/default.asp
       
Obtaining Support on this Issue

   This is a fully supported patch. Information on contacting Microsoft
   Product Support Services is available at
   http://support.microsoft.com/support/contact/default.asp.
   
Acknowledgments

   Microsoft thanks  eEye Digital Security (http://www.eEye.com) for
   reporting this issue to us and working with us to protect customers.
   
Revisions

     * December 22, 2000: Bulletin Created.
       
   THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
   "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
   WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
   MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
   SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES
   WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS
   OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION
   OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
   SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
   CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY
   NOT APPLY.
   
     Last updated December 21, 2000
     © 2000 Microsoft Corporation. All rights reserved. Terms of use.